It is apparent with all their major products. In particular Windows 7, Windows 2008, Exchange, they all are very poorly documented and hard to troubleshoot. When you confront Microsoft about this their response is “it should just work, if it doesn’t then call support. you shouldn’t have to read documentation to understand the product. if you have questions then post it to the forums or read blog posts.” I am very sorry but this does not work very well. I have opened my fair share of support cases and none have turned out well besides being wastes of time. The blog information is a patch work of non-linear information that you need to adapt and interpret to your particular problem. Posting to MS forums has also proved useless because if you’re having a real unique issue you are told to open a support case.

Some executive inside MS looking to cut costs decided he would cut all public documentation (i.e. Knowledge Base Articles) and then charge customers for “premium support” and this was an instant boost to the bottom line.

I found this very useful script a while back that will give a local user temporary administrator rights without having to log off. Even though it’s not possible to refresh a security token group membership for a user without log off, this script makes it possible to execute programs as the current user with administrator rights.

Essentially all the script does is:

Authenticate as Admin

Add user to Admin group

Starts command line process in a new session with a new token for user with admin rights

If your like me, nothing makes you more uncomfortable than running Internet facing applications with Administrator privileges. My wish would be to able to (in Windows) log-on to my computer as a simple user and "sudo" admin tasks without making my life hell. Unfortunately, Windows XP requires a legion of messy scripts to operate this way. It's possible Windows Vista will be the answer but until then; I found a less intrusive method of solving this issue. Let your user-account have admin but execute Internet apps with limited privileges. I first saw this on Mark's Sysinternals Blog: Running as Limited User – the Easy Way. Mark recommends using Sysinternals ProcessExplorer or PsExec to open the executable with limited rights. "Both Process Explorer and PsExec use the CreateRestrictedToken API to create a security context, called a token, that’s a stripped-down version of its own, removing administrative privileges and group membership. After generating a token that looks like one that Windows assigns to standard users Process Explorer calls CreateProcessAsUser to launch the target process with the new token." This is excellent, but there is an easier way of accomplishing the task.

One of the commentators of the blog entry pointed to the following:

With Windows XP or later, you can use Software Restriction Policies to force an application to run as a limited user. You simply need to change a registry setting on the machine used to edit the policy, so that the additional levels are visible.

1. Add a new DWORD value called Levels to the following registry key, and give it a value of 0x31000:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers

2. Open the Group Policy object you want to edit, and navigate to:
Computer Configuration\Windows Settings\Security Settings\Software Restriction Policies\Additional Rules;

NB: If the Software Restriction Policies node has no entries, right-click and choose Create New Policies;

3. Right-click and choose New Path Rule…;

4. Select the path of the executable to restrict, and set the Security Level to Basic User;

You will need to refresh the group policy settings, and restart any affected applications for the changes to take effect.